Evans says she thinks thinking outside of the box like Davis is might be beneficial.
“I think it’s great that they’re not doing the ‘check the box’ mentality. I think they need to realize, and everyone needs to realize, that FISMA as it stands now is still on the books and there’s nothing that precludes people from getting away from checklists. I think it’s great that he’s going about doing this, [but] I’m always a little hesitant because I always get into these big debates about — is certification and accreditation the right process? I know that’s a big taboo right now. I’ve been through several different presentations where they’re not using that word anymore, and it’s the risk management framework that NIST is working on. But, FISMA has always been about risk-based approach, and so if we get to the goal of managing the risk on information infrastructure, then I’m all for it.”
Forman said he fears that some of the current mentality might go toward fixing the symptoms and not the problems themselves.
“You have to understand the genesis of FISMA. Back in 2001, [when] the first calculation of how secure we were [was done], very few of the applications had security built in. So, the real issue is, long term, how do we get the development community — whether it’s federal or it’s the commercial — to build in good security practices, good applications controls, and then obviously secure the network at the front end. We know it’s always more expensive to do it at the back end, but we also know we had to go through several years of securing the applications that were running the missions, the finances, the transactions of the government. I think Mr. Davis is saying, ‘time to move on’. I think what [CISO] John Streufert at the State Department has done is really exciting, because he’s said, now that we not only can move on, we know these applications will continue to evolve. We haven’t gotten the security practices right to build them into the front end, so let’s adopt a continuous auditing, continuous monitoring, risk-based approach and prioritize our problems as they arise on a daily, hourly basis. That’s exciting to me.”
The application of performance metrics into a risk-based profile is something that Evans says was discussed during her time, but never really achieved. She says now the State Department is running on a dashboard, which allows employees to see problems in real time.
“A lot of the things that we used to talk about trying to get done, like the measurement of risk, or — if I make this decision, what would the cost or the impact be? The State Department has a mechanism now where they can actually do that. They can now show [data like] — ‘The money that we were spending over here, we’re now going to apply over here and measure the risk of how we’re reducing it’. They’re pretty mature in what they’re doing, and what they’re trying to do now is box it up so that other agencies can then emulate what they’ve done. They’re sharing a lot of their best practices.”
Foreman said that he would have liked to have seen some discussion of NASA’s Nebula in Davis’ memo, because Nebula is a platform-as-a-service model that acts as an applications development environment. These types of tools should not be left out of the discussion.
“You can’t go to sleep because we secured the legacy apps. We’ve got to get the mentality and the applications development community top really focus on building in security at the front end. They’ve got a great opportunity with Nebula and the other platform-as-a-service models at NASA. So, I think that deserves as much focus as moving to the risk-based [mentality of] — ‘Alright, we’ve secured the apps, time to move on’ paradigm.”
Continuous monitoring is taking over as the new way to secure an agency and replacing the compliance model that FISMA established.
Evans says, for the most part, this could be a positive move, but the approach needs to be carefully handled, “For lack of a better term, it’s [about] whether you’re just going to comply because Congress and OMB tells you to do something, or that you’re really trying to achieve the results and manage what you have.”
Part of that challenge, too, is that it can be very difficult to ‘manage in’ compliance. Foreman said this was evident when FISMA replaced GISRA. Now, it seems, another transition is occurring.
“We needed that independent review when GISRA turned into FISMA. I think that was pretty well recognized that there had to be the independent review. So, there was pretty onerous compliance activity. At the end of the day, you’d like to see people saying, ‘I don’t need to do compliance anymore because I get it. I understand what I’m supposed to be doing in securing my infrastructure, securing my environment, my applications. That people in their day to day work take ownership for security’.”
Thus, the metric that really needs to be measured is whether or not a manager understands what he or she is responsible for in terms of security. Measuring mentalities, however, is easier said than done.
“All the times that I’ve testified on Capitol Hill — and all the times that Mark testified on the Hill on this particular topic, I always turn to GAO and say, ‘Great. I’m all for it. Let’s change the compliance mentality, check-the-box mentality to results. You tell me what metric we should be measuring’. I’m still waiting for GAO to tell me what that metric is, because we’re talking about good management and understanding what your job is.”
A shift in services is also occurring, which is also changing the way managers have to think about IT.
“We’re moving more and more to IT as a service. Organizations like Avue — I haven’t talked to them, but I’ve heard from multiple people that when they sell their software-as-a-service, they start with security. . . . That’s the type of shift I think we’re seeing in the commercial economy. I know it’s going to come into government. I know it’s already there in some aspects of government. That all means we’re moving away from that checklist, but we’re not moving away from independent control or independent verification. That’s the standard element of our management practices. You want some independent verification. As we move to IT-as-a-service, I think we’re going to see more of that independent verification, but people also focusing on selling on security.”
Hear the entire conversation by clicking on the audio link above.
Read more about cloud computing in the federal space at the Fed Cloud Blog.